MBeans (The role-based authorization check failed for admin-authz operation) - Websphere

This is a discussion on MBeans (The role-based authorization check failed for admin-authz operation) - Websphere ; I have tried to execute SecurityAdmin.purgeUserFromAuthCache() by calling WebServer's MBeansServer from session EJB, but I got this error: 00000024 RoleBasedAuth A SECJ0305I: The role-based authorization check failed for admin-authz operation SecurityAdmin urgeUserFromAuthCache. The user MyUser1 (unique ID: user:customRealm/MyUser1) was not ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: MBeans (The role-based authorization check failed for admin-authz operation)

  1. MBeans (The role-based authorization check failed for admin-authz operation)


    I have tried to execute SecurityAdmin.purgeUserFromAuthCache() by calling
    WebServer's MBeansServer from session EJB, but I got this error:

    00000024 RoleBasedAuth A SECJ0305I: The role-based authorization check
    failed for admin-authz operation SecurityAdminurgeUserFromAuthCache. The
    user MyUser1 (unique ID: user:customRealm/MyUser1) was not granted any of
    the following required roles: administrator, configurator.

    I am using custom registry to add MyUser1 to configurator group (inside
    getUniqueGroupIds()), but still I got the above error message.

    Please help.



  2. Re: MBeans (The role-based authorization check failed for admin-authz operation)

    Sorry to ask an obvious question... but just in case. Have you granted your
    custom configurator group the admin configurator role ?

    --
    Stephen

    "John Smith" wrote in message
    news:gdhi3p$12s14$1@news.boulder.ibm.com...
    >
    > I have tried to execute SecurityAdmin.purgeUserFromAuthCache() by calling
    > WebServer's MBeansServer from session EJB, but I got this error:
    >
    > 00000024 RoleBasedAuth A SECJ0305I: The role-based authorization check
    > failed for admin-authz operation SecurityAdminurgeUserFromAuthCache. The
    > user MyUser1 (unique ID: user:customRealm/MyUser1) was not granted any of
    > the following required roles: administrator, configurator.
    >
    > I am using custom registry to add MyUser1 to configurator group (inside
    > getUniqueGroupIds()), but still I got the above error message.
    >
    > Please help.
    >




  3. Re: MBeans (The role-based authorization check failed for admin-authz operation)

    Hi Stephen,

    I have asked similar question few weeks ago, but since I haven't solved my
    problem yet, I have to ask for help again. In my previous post, you helped
    me to come closer to the solution, but still it doesn't work.

    > Sorry to ask an obvious question... but just in case. Have you granted
    > your custom configurator group the admin configurator role ?


    After reading the above comment I have tried one more time and it worked!
    Well, this code works:

    mbeanServer.invoke(securityAdmin, "clearAuthCache", null, null);

    but this code:

    String[] sa = {null, user};
    mbeanServer.invoke(securityAdmin, "purgeUserFromAuthCache", sa, null);

    throws an exception:

    Target method not found:
    com.ibm.ws.security.core.SecurityAdmin.purgeUserFr omAuthCache

    However, after successfuly calling clearAuthCache(), only wasadmin (the name
    of WAS administrator which can login into WAS admin console) rights are
    being read from custom registry again. This is custom registry stack trace
    right after calling clearAuthCache() (read in top to bottom direction):

    Inside checkPassword(wasadmin, dev2dev)
    Inside getUniqueUserId(wasadmin)
    Inside getUniqueGroupIds(wasadmin)
    Inside getUserSecurityName(wasadmin)

    I have expected that it will also read MyUser1 rights again, but it didn't.
    MyUser1 still gets:

    Authorization failed for MyUser1 while invoking GET on
    default_host:myApp/myFolder/myPage.faces, Authorization failed, Not granted
    any of the required roles: someRole1, someRole2

    I have expected that custom registry getUniqueGroupIds() method for MyUser1
    would be called:

    Inside getUniqueGroupIds(MyUser1)

    which would assign someRole1 to MyUser1.

    What should I do?



  4. Re: MBeans (The role-based authorization check failed for admin-authz operation)

    Firstly let's consider the Target method not found exception.

    > mbeanServer.invoke(securityAdmin, "purgeUserFromAuthCache", sa, null);


    Passing a null signature on invoke will make it look for a
    purgeUserFromAuthCache() operation, not a purgeUserFromAuthCache(String,
    String) operation on the Mbean.

    Object[] sa = {null, user};
    String[] sig = { "java.lang.String","java.lang.String" }
    mbeanServer.invoke(securityAdmin, "purgeUserFromAuthCache", sa, sig);

    Secondly there's the question of who should be authorised to call these
    methods. I wouldn't recommend giving general users "configurator" access to
    the cell. Better to invoke an EJB on their behalf which has an appropriate
    "RunAs" subject (which does have the "configurator" authority) or to
    temporarily assert such a Subject (see WSSubject.doAs in the InfoCenter).

    Thirdly I'm still concerned about the scope of your MBean invocation. In
    general MBeans and MBeanServers are scoped to one JVM. So if you locate the
    MBeanServer and thence the SecurityAdmin MBean, that's only the local JVM's
    cache that's being affected. If you're running an ND Cell with multiple
    servers, there could be other caches in other servers which are not being
    purged. I'm still uncertain whether that matters to your application
    design.

    --
    Stephen

    "John Smith" wrote in message
    news:gdk5rg$26k7o$1@news.boulder.ibm.com...
    > Hi Stephen,
    >
    > I have asked similar question few weeks ago, but since I haven't solved my
    > problem yet, I have to ask for help again. In my previous post, you helped
    > me to come closer to the solution, but still it doesn't work.
    >
    >> Sorry to ask an obvious question... but just in case. Have you granted
    >> your custom configurator group the admin configurator role ?

    >
    > After reading the above comment I have tried one more time and it worked!
    > Well, this code works:
    >
    > mbeanServer.invoke(securityAdmin, "clearAuthCache", null, null);
    >
    > but this code:
    >
    > String[] sa = {null, user};
    > mbeanServer.invoke(securityAdmin, "purgeUserFromAuthCache", sa, null);
    >
    > throws an exception:
    >
    > Target method not found:
    > com.ibm.ws.security.core.SecurityAdmin.purgeUserFr omAuthCache
    >
    > However, after successfuly calling clearAuthCache(), only wasadmin (the
    > name of WAS administrator which can login into WAS admin console) rights
    > are being read from custom registry again. This is custom registry stack
    > trace right after calling clearAuthCache() (read in top to bottom
    > direction):
    >
    > Inside checkPassword(wasadmin, dev2dev)
    > Inside getUniqueUserId(wasadmin)
    > Inside getUniqueGroupIds(wasadmin)
    > Inside getUserSecurityName(wasadmin)
    >
    > I have expected that it will also read MyUser1 rights again, but it
    > didn't. MyUser1 still gets:
    >
    > Authorization failed for MyUser1 while invoking GET on
    > default_host:myApp/myFolder/myPage.faces, Authorization failed, Not
    > granted any of the required roles: someRole1, someRole2
    >
    > I have expected that custom registry getUniqueGroupIds() method for
    > MyUser1 would be called:
    >
    > Inside getUniqueGroupIds(MyUser1)
    >
    > which would assign someRole1 to MyUser1.
    >
    > What should I do?
    >




  5. Re: MBeans (The role-based authorization check failed for admin-authz operation)

    > Passing a null signature on invoke will make it look for a
    > purgeUserFromAuthCache() operation, not a purgeUserFromAuthCache(String,
    > String) operation on the Mbean.
    >
    > Object[] sa = {null, user};
    > String[] sig = { "java.lang.String","java.lang.String" }
    > mbeanServer.invoke(securityAdmin, "purgeUserFromAuthCache", sa, sig);


    Oh, thank you. Works fine now and now I get it.

    > Secondly there's the question of who should be authorised to call these
    > methods. I wouldn't recommend giving general users "configurator" access
    > to the cell. Better to invoke an EJB on their behalf which has an
    > appropriate "RunAs" subject (which does have the "configurator" authority)
    > or to temporarily assert such a Subject (see WSSubject.doAs in the
    > InfoCenter).


    Yes, I agree. I will do as you suggest.

    > Thirdly I'm still concerned about the scope of your MBean invocation. In
    > general MBeans and MBeanServers are scoped to one JVM. So if you locate
    > the MBeanServer and thence the SecurityAdmin MBean, that's only the local
    > JVM's cache that's being affected. If you're running an ND Cell with
    > multiple servers, there could be other caches in other servers which are
    > not being purged. I'm still uncertain whether that matters to your
    > application design.


    I am not running ND. However, after calling purgeUserFromAuthCache() it
    works just fine now.

    Thank you very much for your help.



+ Reply to Thread